Loading ...

General Information

Number of analysed new started processes analysed: 4
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Success Statistics:
  • POIButNoSDmp: 0
  • BadPOI: 6
  • TotalInputPOI: 312
  • UnresolvedImplicitCalls: 188
  • ResolvedImplicitCalls: 242
  • NoCallBeforePOI: 0
  • POIImplicitCalls: 167
  • POIFound: 306
  • AllImplicitCalls: 597
Warnings:
  • Too many NtQueryDirectoryFile calls (excessive behavior)
  • Too many NtProtectVirtualMemory calls (excessive behavior)

Classification / Threat Score

Persistence, Installation, Boot Survival :
Hiding, Stealthiness, Detection and Removal Protection :
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection :
Spreading :
Exploiting :
Networking :
Data spying, Sniffing, Keylogging, Ebanking Fraud :

Matching Signatures

Behavior Signatures
Creates files inside the user directory
Queries a list of all running processes
Spawns processes
Urls found in memory or binary data
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Binary may include packed or crypted data
Checks if the current process is beeing debugged
Creates an autostart registry key
Creates files inside the system directory
Creates mutexes \BaseNamedObjects\Local\c:!documents and settings!networkservice!local settings!temporary internet files!content.ie5! \BaseNamedObjects\Local\c:!documents and settings!networkservice!cookies! \BaseNamedObjects\Local\c:!documents and settings!networkservice!local settings!history!history.ie5!
Drops PE files
Enumerates the file system
Found strings which match to known social media urls
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
PE sections with suspicious entropy found
Performs DNS lookups
Posts data to webserver
Contains capabilities to detect virtual machines
Creates autorun.inf (USB autostart)
Modifies the context of a thread in another process (thread injection)
Shows file infector / information gathering behavior (enumerates multiple directory for files)

Code Signatures
Contains functionality to download additional files from the internet
Contains functionality to enumerate / list files inside a directory
Contains functionality to query local / system time
Contains functionality to start windows services
Contains functionality to dynamically determine API calls

Startup

  • svchst.exe (PID: 1508 MD5: 6B16C4526A013E744B3D91CD7A091C36)
    • svchst.exe (PID: 1616 MD5: 6B16C4526A013E744B3D91CD7A091C36)

Created / dropped Files

File Path MD5
C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf E94FCAB2699C22CF69387EA0EE892968
C:\WINDOWS\mssys.dll 879631FB71EEF07DB32A97E8DAD372EA
C:\WINDOWS\svchst.exe 6B16C4526A013E744B3D91CD7A091C36
C:\autorun.inf 22E7E2047F46662384F91EAC7EFCC806
\ROUTER DF3F6F25E4716A933F765B3AE24BC869
\net\NtControlPipe20 5DBF9AB5CA0D05D4E1865D918572E54B

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type: Users\admin\Desktop\vm_tricks_sample; PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File name: vm_tricks_sample
File size: 196608
MD5: 6b16c4526a013e744b3d91cd7a091c36
SHA1: 610e916e1f3c5c9faebdd539d9ff2d82a807e1e2
SHA256: f7e1cb9f307794648443497824a72af7c22a6fd77ad67698affc5979172750a2
SHA512: 2ece4f9afee77f8bdd9e6b37c95e5e51632d8628d8946b7e52f1518ca6397b757f89e2e21b153cb8c85eb854afca34cc871ef7f07a0c2ee194a6965c833d5274

Static PE Info

General
Entrypoint: 0x41611c
Entrypoint Section: .text
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics: TERMINAL_SERVER_AWARE
Time Stamp: 0x81C4B2F8 [Tue Dec 28 12:22:16 2038 UTC]
TLS Callbacks:
Resources
Name RVA Size Type Language Country
RT_RCDATA 0x1906c 0x12600 ump; data
Imports
DLL Import
ntdll.dll NtUnmapViewOfSection
WS2_32.dll WSAConnect, WSASocketA
WININET.dll InternetGetConnectedState
KERNEL32.dll HeapAlloc, CloseHandle, HeapFree, WriteFile, CreateFileA, SetFilePointer, GetProcessHeap, ExitProcess, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, DeleteFileA
USER32.dll wvsprintfA
Sections
Name Virtual Address Virtual Size Raw Size Entropy
.text 0x1000 0x18000 0x18000 7.15986996647
.rsrc 0x19000 0x1266c 0x12800 7.85865882135
.reloc 0x2c000 0x5600 0x5400 2.2117994718

String Analysis

URLs
String value Source
http://grub.org) vm_tricks_sample.exe, svchst.exe
http://help.naver.com/delete_main.asp) vm_tricks_sample.exe, svchst.exe
http://mahaajan.in/dd/ svchst.exe, vm_tricks_sample, svchst.exe.dr
http://mahaajan.in/dd/diwar.php vm_tricks_sample.exe, svchst.exe
http://sp.ask.com/docs/about/tech_crawling.html) vm_tricks_sample.exe, svchst.exe
http://www.ba.be) vm_tricks_sample.exe, svchst.exe
http://www.changedetection.com/bot.html vm_tricks_sample.exe, svchst.exe
http://www.cnet.com/) vm_tricks_sample.exe, svchst.exe
http://www.google.com/bot.html) svchst.exe
http://www.net-promoter.com/) vm_tricks_sample.exe, svchst.exe
http://www.netnose.com) vm_tricks_sample.exe, svchst.exe
http://www.powerset.com) vm_tricks_sample.exe, svchst.exe
http://www.searchhippo.com/; vm_tricks_sample.exe, svchst.exe
http://www.wisenutbot.com) vm_tricks_sample.exe, svchst.exe
AV process names
String value Source
Autoruns.exe svchst.exe, svchst.exe.dr
Social media names
String value Source
Mozilla/4.0 (compatible; Yahoo Japan; for robot study; kasugiya) equals www.yahoo.com (Yahoo) vm_tricks_sample.exe, svchst.exe
VM Artifacts
String value Source
VBoxMouse svchst.exe.dr
xenvdb svchst.exe.dr
vmdebug svchst.exe.dr
VBoxService svchst.exe.dr
vpcbus svchst.exe.dr
vmicvss svchst.exe.dr
vpcuhub svchst.exe.dr
vmwaretray.exe svchst.exe.dr
vmware svchst.exe.dr
xennet6 svchst.exe.dr
vmusrvc.exe svchst.exe, vm_tricks_sample, svchst.exe.dr
VBOX__ svchst.exe, vm_tricks_sample, svchst.exe.dr
xensvc svchst.exe.dr
xenevtchn svchst.exe.dr
vmicexchange svchst.exe.dr
VMTools svchst.exe.dr
xennet svchst.exe.dr
VBoxSF svchst.exe.dr
vpc-s3 svchst.exe.dr
VMMEMCTL svchst.exe.dr
vmwareuser.exe svchst.exe.dr
VBoxGuest svchst.exe.dr
vmicshutdown svchst.exe.dr
Hyper-V svchst.exe, vm_tricks_sample, svchst.exe.dr
vmsrvc.exe svchst.exe.dr
vboxtray.exe svchst.exe, vm_tricks_sample, svchst.exe.dr
msvmmouf svchst.exe.dr
VirtualMachine svchst.exe, vm_tricks_sample, svchst.exe.dr
vmicheartbeat svchst.exe.dr
vmmouse svchst.exe.dr
vboxservice.exe svchst.exe.dr

Network Behavior

TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Okt 12, 2012 14:46:29.692397118 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:29.692428112 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:29.692787886 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:29.695838928 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:29.695852041 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:30.878057003 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:31.025012970 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:31.132304907 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:31.133229971 MESZ 1039 80 192.168.0.10 208.91.198.109
Okt 12, 2012 14:46:31.133299112 MESZ 80 1039 208.91.198.109 192.168.0.10
Okt 12, 2012 14:46:31.133637905 MESZ 1039 80 192.168.0.10 208.91.198.109
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Okt 12, 2012 14:46:22.548973083 MESZ 61120 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:22.549093008 MESZ 53 61120 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:22.549518108 MESZ 61120 53 192.168.0.10 195.186.4.121
Okt 12, 2012 14:46:22.549561024 MESZ 53 61120 195.186.4.121 192.168.0.10
Okt 12, 2012 14:46:24.482346058 MESZ 51208 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:24.482446909 MESZ 53 51208 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:24.482691050 MESZ 51208 53 192.168.0.10 195.186.4.121
Okt 12, 2012 14:46:24.482727051 MESZ 53 51208 195.186.4.121 192.168.0.10
Okt 12, 2012 14:46:25.305315018 MESZ 56719 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:26.293629885 MESZ 56719 53 192.168.0.10 195.186.4.121
Okt 12, 2012 14:46:27.290111065 MESZ 56719 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:29.292324066 MESZ 56719 53 192.168.0.10 195.186.1.121
Okt 12, 2012 14:46:29.292573929 MESZ 56719 53 192.168.0.10 195.186.4.121
Okt 12, 2012 14:46:29.633065939 MESZ 53 56719 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:30.600799084 MESZ 53 56719 195.186.4.121 192.168.0.10
Okt 12, 2012 14:46:30.647813082 MESZ 53 56719 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:32.206891060 MESZ 53 56719 195.186.1.121 192.168.0.10
Okt 12, 2012 14:46:32.264456987 MESZ 53 56719 195.186.4.121 192.168.0.10
ICMP Packets
Timestamp Source IP Dest IP Checksum Code Type
Okt 12, 2012 14:46:30.601129055 MESZ 192.168.0.10 195.186.4.121 8629 (Port unreachable) Destination Unreachable
Okt 12, 2012 14:46:30.648020029 MESZ 192.168.0.10 195.186.1.121 8329 (Port unreachable) Destination Unreachable
Okt 12, 2012 14:46:32.207338095 MESZ 192.168.0.10 195.186.1.121 8329 (Port unreachable) Destination Unreachable
Okt 12, 2012 14:46:32.264925003 MESZ 192.168.0.10 195.186.4.121 8629 (Port unreachable) Destination Unreachable
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Okt 12, 2012 14:46:22.548973083 MESZ 192.168.0.10 195.186.1.121 0x2cd5 Standard query (0) http://mahaajan.in/dd/ A (IP address) IN (0x0001)
Okt 12, 2012 14:46:22.549518108 MESZ 192.168.0.10 195.186.4.121 0x2cd5 Standard query (0) http://mahaajan.in/dd/ A (IP address) IN (0x0001)
Okt 12, 2012 14:46:24.482346058 MESZ 192.168.0.10 195.186.1.121 0x2c1b Standard query (0) http://mahaajan.in/dd/ A (IP address) IN (0x0001)
Okt 12, 2012 14:46:24.482691050 MESZ 192.168.0.10 195.186.4.121 0x2c1b Standard query (0) http://mahaajan.in/dd/ A (IP address) IN (0x0001)
Okt 12, 2012 14:46:25.305315018 MESZ 192.168.0.10 195.186.1.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
Okt 12, 2012 14:46:26.293629885 MESZ 192.168.0.10 195.186.4.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
Okt 12, 2012 14:46:27.290111065 MESZ 192.168.0.10 195.186.1.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
Okt 12, 2012 14:46:29.292324066 MESZ 192.168.0.10 195.186.1.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
Okt 12, 2012 14:46:29.292573929 MESZ 192.168.0.10 195.186.4.121 0xab84 Standard query (0) mahaajan.in A (IP address) IN (0x0001)
DNS Answers
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Okt 12, 2012 14:46:22.549093008 MESZ 195.186.1.121 192.168.0.10 0x2cd5 Server failure (2) http://mahaajan.in/dd/ none none A (IP address) IN (0x0001)
Okt 12, 2012 14:46:22.549561024 MESZ 195.186.4.121 192.168.0.10 0x2cd5 Server failure (2) http://mahaajan.in/dd/ none none A (IP address) IN (0x0001)
Okt 12, 2012 14:46:24.482446909 MESZ 195.186.1.121 192.168.0.10 0x2c1b Server failure (2) http://mahaajan.in/dd/ none none A (IP address) IN (0x0001)
Okt 12, 2012 14:46:24.482727051 MESZ 195.186.4.121 192.168.0.10 0x2c1b Server failure (2) http://mahaajan.in/dd/ none none A (IP address) IN (0x0001)
Okt 12, 2012 14:46:29.633065939 MESZ 195.186.1.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
Okt 12, 2012 14:46:30.600799084 MESZ 195.186.4.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
Okt 12, 2012 14:46:30.647813082 MESZ 195.186.1.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
Okt 12, 2012 14:46:32.206891060 MESZ 195.186.1.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
Okt 12, 2012 14:46:32.264456987 MESZ 195.186.4.121 192.168.0.10 0xab84 No error (0) mahaajan.in 208.91.198.109 A (IP address) IN (0x0001)
HTTP Request Dependency Graph
  • mahaajan.in
HTTP Packets
Timestamp Source Port Dest Port Source IP Dest IP Header Total Bytes Transfered (KB)
Okt 12, 2012 14:46:29.695838928 MESZ 1039 80 192.168.0.10 208.91.198.109 POST /dd/diwar.php HTTP/1.0
Host: mahaajan.in
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
1
Okt 12, 2012 14:46:30.878057003 MESZ 80 1039 208.91.198.109 192.168.0.10 HTTP/1.1 500 Internal Server Error
Date: Fri, 12 Oct 2012 12:46:30 GMT
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 mod_fcgid/2.3.6
Content-Length: 688
Connection: close
Content-Type: text/html; charset=iso-8859-1
2

Code Manipulation Behavior

System Behavior

General
Start time: 09:39:49
Start date: 24/01/2012
Path: C:\vm_tricks_sample.exe
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x400000
File size: 196608 bytes
MD5 hash: 6B16C4526A013E744B3D91CD7A091C36

File Activites

File Path Access Options Content overwritten Completion Count Source Address Symbol
y: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
x: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
w: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
v: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
u: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
t: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
s: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
r: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
q: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
p: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
o: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
n: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
m: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
l: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
k: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
j: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
i: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
h: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
g: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
f: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
e: read attributes and synchronize synchronous io non alert and non directory file false object name not found 2 414288 GetDriveTypeA
File Path Access Attributes Options Completion Count Source Address Symbol
C:\WINDOWS\mssys.dll read attributes and synchronize and generic write system synchronous io non alert and non directory file success or wait 1 413FC0 CreateFileA
File Path Offset Length Value Completion Count Source Address Symbol
C:\WINDOWS\mssys.dll unknown 67072 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 40 00 c3 b2 21 6e 90 b2 21 6e 90 b2 21 6e 90 ac 73 ea 90 90 21 6e 90 ac 73 fb 90 a2 21 6e 90 ac 73 ed 90 df 21 6e 90 95 e7 15 90 b1 21 6e 90 b2 21 6f 90 d3 21 6e 90 ac 73 e7 90 b5 21 6e 90 ac 73 ff 90 b3 21 6e 90 52 69 63 68 b2 21 6e 90 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5d 34 88 4f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 00 01 00 00 10 00 00 00 b0 05 success or wait 1 414018 WriteFile
File Path Offset Length Completion Count Source Address Symbol
File Path Disposition File Mask Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data BothDirectoryInformation <.exe no such file 1 41410C FindFirstFileA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp BothDirectoryInformation <.exe no such file 1 41410C FindFirstFileA
C:\WINDOWS\Web BothDirectoryInformation <.exe no such file 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\export\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\export\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\export\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\dump\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\dump\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\dump\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\syscalls\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\logs\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\logs\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\logs\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\udf\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\udf\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\udf\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\shoots\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\shoots\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\shoots\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\import\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
\;Z:0000000000008bf9\192.168.0.2\xpanalyzer1\ BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\ BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\ BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0 BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0 BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Collab BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Collab BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Collab BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\Forms BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0 BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRW BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRW BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\4LU5DXRW BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\grm BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\sgr BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics\Dictionaries BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe\Linguistics BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Adobe BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Identities BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E} BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E} BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities\{5223274D-42A6-41C5-9E78-3A6606A65E5E} BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Identities BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWL BothDirectoryInformation * success or wait 1 41410C FindFirstFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWL BothDirectoryInformation unknown success or wait 1 4141FC FindNextFileA
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\WT8AYZWL BothDirectoryInformation unknown no more files 1 4141FC FindNextFileA
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites

File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\WS2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\Normaliz.dll write and read and execute unknown 330000 36864 own pid read write conflicting addresses 1
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 350000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 920000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 390000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 390000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 390000 4096 own pid readonly success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
unknown query and write and read commit 3B0000 16384 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit B20000 8462336 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit B20000 618496 own pid readonly success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768 write unknown 3E0000 32768 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_16384 write unknown 3F0000 16384 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768 write unknown B20000 32768 own pid read write success or wait 1
\KnownDlls\RASAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasapi32.dll query and write and read and execute image 76EE0000 245760 own pid read write success or wait 1
\KnownDlls\rasman.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasman.dll query and write and read and execute image 76E90000 73728 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1
\KnownDlls\TAPI32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\tapi32.dll query and write and read and execute image 76EB0000 192512 own pid read write success or wait 1
\KnownDlls\rtutils.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rtutils.dll query and write and read and execute image 76E80000 57344 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
C:\WINDOWS\system32\tapi32.dll read commit DB0000 184320 own pid readonly success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\msapsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msapsspc.dll query and write and read and execute image 71E50000 86016 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\KnownDlls\schannel.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\schannel.dll query and write and read and execute image 767F0000 163840 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\digest.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\digest.dll query and write and read and execute image 75B00000 86016 own pid read write success or wait 1
\KnownDlls\msnsspc.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msnsspc.dll query and write and read and execute image 747B0000 290816 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\KnownDlls\sensapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\sensapi.dll query and write and read and execute image 722B0000 20480 own pid read write success or wait 1
C:\WINDOWS\system32\msv1_0.dll write and read and execute commit DB0000 139264 own pid execute success or wait 1
C:\WINDOWS\system32\msv1_0.dll query and write and read and execute image 77C70000 151552 own pid read write success or wait 1
\KnownDlls\cryptdll.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\cryptdll.dll query and write and read and execute image 76790000 49152 own pid read write success or wait 1
\KnownDlls\iphlpapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\iphlpapi.dll query and write and read and execute image 76D60000 102400 own pid read write success or wait 1
\BaseNamedObjects\SENS Information Cache read unknown DC0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit EF0000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\hnetcfg.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit DD0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit DD0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
\KnownDlls\WLDAP32.dll write and read and execute unknown 76F60000 180224 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
C:\vm_tricks_sample.exe query and write and read and execute and extend size image 76FC0000 24576 own pid read write success or wait 1
\BaseNamedObjects\ShimSharedMemory write unknown FF0000 57344 own pid read write success or wait 1
C:\vm_tricks_sample.exe query and read commit 1000000 196608 own pid readonly success or wait 1

Registry Activites

Key Path Key Value Name Completion Count Source Address Symbol
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations unicode array 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 00 00 success or wait 1 414A20 MoveFileExA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations unicode array 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 00 00 success or wait 1 414A20 MoveFileExA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations unicode array 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 4E 00 65 00 77 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 70 00 6F 00 6F 00 6C 00 5C 00 44 00 52 00 49 00 56 00 45 00 52 00 53 00 5C 00 57 00 33 00 32 00 58 00 38 00 36 00 5C 00 33 00 5C 00 6D 00 64 00 69 00 75 00 69 00 2E 00 64 00 6C 00 6C 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 41 00 44 00 4D 00 49 00 4E 00 49 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 00 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 57 00 45 00 42 00 5C 00 00 00 00 00 00 00 success or wait 1 414A20 MoveFileExA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs unicode C:\WINDOWS\mssys.dll success or wait 1 414A9C RegSetValueExA
Key Path Name Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier buffer overflow 4 4137DC RegQueryValueExA
HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 Identifier success or wait 4 4137DC RegQueryValueExA
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System SystemBiosVersion success or wait 1 4137DC RegQueryValueExA